Few areas of regulation are advancing as quickly in Asia as data privacy regulation. This year marks the tenth anniversary of the APEC Privacy Framework and we now see “European style” comprehensive data privacy regimes in a dozen jurisdictions across the Asia-Pacific region.
Hogan Lovells data protection lawyers Mark Parsons and Eugene Low recently hosted in-person seminars at Hogan Lovells’ offices in Hong Kong to take stock of where Asia is in terms of data privacy regulation, and to help chart a roadmap to compliance. The focus of these discussions was on identifying “hot spots” for businesses operating across the region and pointing to practical measures and points of prioritisation. The discussions also considered steps to be taken to prepare for and react to data breach events, with a seasoned view of regulatory attitudes and approaches to enforcement and remediation.
To access a video recording of Data Privacy Regulation in Asia – A Practical Way Forward to Compliance, click here.
Following on from the Article 29 Working Party’s Opinion in June, the European Data Protection Supervisor (EDPS) has now published his own recommendations for the proposed General Data Protection Regulation (GDPR). Unsurprisingly, given that the EDPS is a member of the Working Party, the views expressed are in line with that Opinion. At this point you may be tempted to stop reading, but wait, there is more. In addition to expressing his vision of the GDPR and producing his own recommendations for every single article of the GDPR, the EDPS has demonstrated his commitment to practicality by making this all available as a mobile app. The app allows you to select which of the drafts you wish to see side by side, scroll rapidly through the contents to select a particular article, or search on the whole text so you can see at a glance what each version says, for example, about pseudonymisation or profiling. Whilst the app may have limited appeal, and is unlikely to keep small children entertained on long car journeys, it will be a thing of joy for its target audience. Continue Reading
Making the UK a safe place to live and prosper is not a small matter. Whatever the root causes, the threats to public safety are real and a political priority for government and opposition alike. This huge responsibility combined with the complexities of 21st century communications has resulted in a succession of laws aimed at legitimising the ability of law enforcement and intelligence agencies to tap into our digital lives. Just like technology itself, this is a moving target and policy decisions in this area have come thick and fast – not just in the UK but in many other democracies around the world. Continue Reading
In a move counter to the trending precedent in data breach litigation, the U. S. Court of Appeals for the Seventh Circuit ruled on July 20 that data breach plaintiffs whose personal information was potentially exposed in a confirmed hacking breach of a major retailer’s network alleged enough risk of harm to meet the standing requirements of Article III of the U.S. Constitution. Plaintiffs’ lawyers will herald this decision, but standing is only the first of many hurdles data breach plaintiffs must cross to proceed to the merits in data breach litigation. Continue Reading
Spain is well known for having one of the most restrictive data protection regimes in the European Union (EU). It also counts with some of the highest penalties (fines are up to € 600,000 per infringement), and a data protection authority – the Spanish Data Protection Agency (AEPD) – with a reputation for being one of the fiercest of the EU. Moreover, the penalties envisaged are not only on paper; they are applied on a regular basis by the AEPD. For instance, in the past few years, it has imposed fines of € 450,000, € 900,000 and € 1,400,000.
Fulfillment of the Spanish data protection requirements is not an easy task. However, it is not impossible either. Hogan Lovells has prepared a detailed analysis of key Spanish data protection issue areas—such as consent; disclosures; cookies; access, rectification, cancellation, and objection; and international transfers—to help companies understand Spanish data protection requirements.
To download Data Protection Compliance in Spain: Mission Impossible?, click here.
Introduction to mobile Health and data protection laws
The mobile Health (mHealth) sector is rapidly developing and revolutionising the healthcare market. More and more consumers share information such as medical and physiological conditions, lifestyles, daily activity and geolocation via all kinds of health-related mobile applications and devices. The growing success of mHealth, however, inevitably casts a spotlight on compliance with privacy protection laws. Data protection agencies (DPAs) and supervisory bodies in the EU recently raised concerns about the collection, processing and use of customers’ data by mHealth apps and mobile devices. This blog introduces the key hot spots involving mHealth and data protection laws, before we dig deeper on other issues in a series of consecutive posts on this blog in the upcoming weeks.
Last month, bankrupt company RadioShack settled with a coalition of seventeen attorneys general to destroy most of the company’s customer data in its files. The agreement was part of a Bankruptcy Court-approved $26.2 million sale of RadioShack’s assets. Continue Reading
The Federal Trade Commission (“FTC”) has published new guidance that “summarizes lessons learned” from the FTC’s 50-plus data security settlements while also announcing a series of data security conferences. In the new guidance titled “Start With Security: A Guide for Business,” the FTC acknowledges that the data security requirements contained in the settlements apply only to the affected companies. However, the settlements—and the FTC’s distillation of them—reveal regulatory expectations and identify risks that can affect companies of all types and sizes. In this post, we summarize the FTC’s new guidance and provide details on the FTC’s data security conferences happening this fall. Continue Reading
Across the country, we’re in the midst of “Unmanned Aircraft Systems (“UAS”) fever” – industries from media, agriculture and energy to insurance, real estate and construction are seeking FAA approvals to fly UAS here in the United States. UAS technology has improved at a rapid pace, and offer a vast array of safety and efficiency benefits to companies for a wide variety of uses.
But while the benefits from commercial uses of UAS are great, many have also been vocal with their privacy concerns. It may very well be that for industry to succeed, various stakeholders will need to engage in a national conversation surrounding these issues.
Emerging technologies, such as cloud computing and the “smart city,” have the potential to greatly advance our quality of life. The use, retention, and storage of data that go along with them, however, have raised citizen concerns about privacy risks. The National Institute of Standards and Technology (“NIST”) addresses these concerns in a new draft report titled Privacy Risk Management for Federal Information Systems (NISTIR 8062), which was released on May 29, 2015. The report introduces NIST’s Privacy Risk Management Framework (“PRMF”), which anticipates and addresses privacy risk resulting from the processing of personal information. NIST intends that the framework will lay the foundation for establishing a common vocabulary that facilitates better understanding of (and communication about) privacy risks and how to effectively implement privacy principles. Although the report is directed at federal systems, the principles outlined may be useful for any business that processes personal information. The NIST report focuses on the development of two key pillars of the PRMF: privacy engineering objectives and a Privacy Risk Model. Continue Reading